RE: Multiple IP on the same server howo to idenfity

From: Amin Tora (atora@EPLUS.com)
Date: Thu Jun 10 2004 - 17:14:58 EDT

• Next message: Yonatan Bokovza: "RE: Multiple IP on the same server howo to idenfity"
• Previous message: Harlan Carvey: "RE: USB delivered attacks - lessons learned/summary (so far)"
• Maybe in reply to: NetExpress: "Multiple IP on the same server howo to idenfity"
• Next in thread: Yonatan Bokovza: "RE: Multiple IP on the same server howo to idenfity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

One idea:

Look at the default settings in the IP/TCP/UDP/ICMP headers ... Coming
from the box...

If it is all the same it _COULD_ be the same box performing NAT/PAT or
using virtual machines...
If the packets are dis-similar then it _COULD_ be different boxes...
Again note "_COULD_"

But all this is again "guessing"...

The other thing to do is to call up the contact at the customer and ask
up front or social engineering...<grin>

Amin Tora, CISSP, CHSP
Security Consultant
ePlus Technology Inc.
13595 Dulles Technology Drive
Herndon, VA 20171
office: 703-793-1330
cell: 703-675-0738
web: http://www.eplustechnology.com
email: atora-at-eplus.com

**NOTICE**
------------------------------------------
THE INFORMATION CONTAINED IN THIS ELECTRONIC TRANSMISSION AND ANY
ATTACHMENTS HERETO IS CONSIDERED PROPRIETARY AND CONFIDENTIAL.
DISTRIBUTION OF THIS MATERIAL TO ANYONE OTHER THAN THE ADDRESSED IS
PROHIBITED. ANY DISCLOSURE, COPYING, DISTRIBUTION OR USE OF THE CONTENTS
OF THIS TRANSMISSION OR ANY ATTACHMENTS HERETO FOR ANY REASON OTHER THAN
THEIR INTENDED PURPOSE IS PROHIBITED. IF YOU HAVE RECEIVED THIS
TRANSMISSION IN ERROR, PLEASE CONTACT THE SENDER.
------------------------------------------

-----Original Message-----
From: NetExpress [mailto:NetExpress@infogroup.it]
Sent: Thursday, June 10, 2004 6:13 AM
To: pen-test@securityfocus.org
Subject: Multiple IP on the same server howo to idenfity

Hi, the problem is, if I am doing a penetration test from internte to
many servers, probably there should be some IP ont the same server o
network adapter like load balancer.
In a report, and to avoid false positive, should be usefull to identify
which IPs are on the same server, but how?
If I should be in the internal network I am testing I'll use arp to find
the MAC address of each IP and I should have solved, but from Internet I
cannot use arp.

 From Internet I could use the banner, but this is not sure, I could
have more then one application server on the same server with n-IP on
application server A and m-IP on the application server B getting the
banner should not be the right choise especialy with proxy.

Any idea?

Thanks

Alessandro Fiorenzi

• Next message: Yonatan Bokovza: "RE: Multiple IP on the same server howo to idenfity"
• Previous message: Harlan Carvey: "RE: USB delivered attacks - lessons learned/summary (so far)"
• Maybe in reply to: NetExpress: "Multiple IP on the same server howo to idenfity"
• Next in thread: Yonatan Bokovza: "RE: Multiple IP on the same server howo to idenfity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT